DNS-01 challenge: nxdomain even though configuration appears correct

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: the-gdn.net (all subdomains)

I ran this command: nixos-rebuild, ran lego --accept-tos --path . -d turn.the-gdn.net --email draeand@the-gdn.net --key-type ec256 --dns linode --dns.resolvers run

It produced this output:

2023/10/17 03:21:07 [INFO] [turn.the-gdn.net] acme: Obtaining bundled SAN certificate
2023/10/17 03:21:07 [INFO] [turn.the-gdn.net] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/274610722916
2023/10/17 03:21:07 [INFO] [turn.the-gdn.net] acme: Could not find solver for: tls-alpn-01
2023/10/17 03:21:07 [INFO] [turn.the-gdn.net] acme: Could not find solver for: http-01
2023/10/17 03:21:07 [INFO] [turn.the-gdn.net] acme: use dns-01 solver
2023/10/17 03:21:07 [INFO] [turn.the-gdn.net] acme: Preparing to solve DNS-01
2023/10/17 03:21:08 [INFO] [turn.the-gdn.net] acme: Trying to solve DNS-01
2023/10/17 03:21:08 [INFO] [turn.the-gdn.net] acme: Checking DNS record propagation using []
2023/10/17 03:21:23 [INFO] Wait for propagation [timeout: 16m0s, interval: 15s]
2023/10/17 03:21:23 [INFO] [turn.the-gdn.net] acme: Waiting for DNS record propagation.
2023/10/17 03:21:38 [INFO] [turn.the-gdn.net] acme: Waiting for DNS record propagation.
2023/10/17 03:21:53 [INFO] [turn.the-gdn.net] acme: Waiting for DNS record propagation.
2023/10/17 03:22:09 [INFO] [turn.the-gdn.net] acme: Waiting for DNS record propagation.
2023/10/17 03:22:24 [INFO] [turn.the-gdn.net] acme: Waiting for DNS record propagation.
2023/10/17 03:22:39 [INFO] [turn.the-gdn.net] acme: Waiting for DNS record propagation.
2023/10/17 03:23:00 [INFO] [turn.the-gdn.net] acme: Cleaning DNS-01 challenge
2023/10/17 03:23:01 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/274610722916
2023/10/17 03:23:01 Could not obtain certificates:
	error: one or more domains had a problem:
[turn.the-gdn.net] acme: error: 400 :: urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.turn.the-gdn.net - check that a DNS record exists for this domain

My web server is (include version): N/A, using DNS-01 challenge

The operating system my web server runs on is (include version): NixOS 23.05.4335.898cb2064b6e

My hosting provider, if applicable, is: Linode

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 4.11.0

Extra context:

I have my LINODE_TOKEN environment variable set up properly and am allowing the DNS propagation check to complete. When run in a normal nix shell, everything works fine (at least on the staging environment); however, when run via nixos-rebuild, it fails with the aforementioned error. I thought that maybe it had something to do with DNS propagation checking, so I turned that off, and it continued to fail. So I'm extremely confused at this point, because I've given it read/write access to my domains records (!), so it should be having zero problems trying to create a TXT record and then verifying that said record exists. The subdomain is just a CNAME record but I don't see how that would change anything. I've checked with letsdebug and it says all is okay..... So, yeah, very confused.

See if the SOA records are incrementing after each run.
serial = 2021000034


Can you check to see if that is being allowed?
[and if that DNS server will return anything for other queries]


What do you mean by "being allowed"? I'm not sure what would be denying it; I don't have any configuration that would forbid it, nor do I have, e.g., CAA records. And it definitely should be able to return other DNS queries -- it's cloudflare's DNS.

That no firewall is blocking it
That the routing is in place to allow it to complete correctly.

Can you do a DNS test from that system?


I don't know the difference between "normal nix shell" and whatever happens within "nixos-rebuild".


I can definitely confirm that DNS lookups work fine. Everything but the letsencrypt dns resolver setting (which is the IP uses domain names.

Nixos-rebuild is what consumes the configuration file and realizes it in the system. It's a significantly sandboxed environment, but in certain circumstances (such as this one) it does allow network access.

And no, the serial number isn't being updated. So for some reason it isn't modifying anything, even though it should be.

1 Like

I would try increasing the total wait time.
[that seems to be less than 2 minutes]
Try using some other DNS server.
[like one of the authoritative ones]


Have you run it since I posted?:

I see this now:
serial = 2021000038


I just told it to use the default DNS provider.

I understand; But that is not the fastest/shortest DNS path - and it can be affected by caching/TTL.
[your authoritative servers are best]


Maybe you can disable the [pre]check altogether.


Yeah, I ran it like you said. I checked with dig and your right, it did change. So it's working, it's just not working properly. Hmmm. I'll keep poking around.

Alrighty, got it working, think I just needed to reboot after a kernel update. Everything is working flawlessly now.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.